Kaspersky detecting my crypter executing

[ilcrba]

I am using a public LoadPE method off of Github for my stub. I can crypt Mimikatz and it will bypass Windows Defender both statically and dynamically. When ran against Kaspersky it gets caught after a couple of minutes.

My question is how do I defeat this? I am able to successfully loadpe without getting caught. It just gets caught a couple minutes after mimikatz is running, even if I am not running any commands of mimikatz. Is the AV scanning the process memory and finding strings related to mimikatz? Is this a emulator detection? I do not have any anti debugging or anti sandbox built into this.

I am just not sure if this is a issue on my end, or if this is just the nature of the game and I can't use a well known program like mimikatz.

 

[Octavian]

Sounds like a memory detection of mimi. KIS detect not only strings but meta signatures like a physical file on disk.
You may try some memory anti detection methods like https://github.com/JLospinoso/gargoyle or etc.

 

[ilcrba]

Sounds like a memory detection of mimi. KIS detect not only strings but meta signatures like a physical file on disk.
You may try some memory anti detection methods like https://github.com/JLospinoso/gargoyle or etc.

Not sure that it would be on disk as mimi is obfuscated while attached to my stub. So it is only readable in memory. Other option is it is ran in a sandbox and it is being detected from that. I have a 20 second sleep in it but if ran in a sandbox that wouldn't be an issue. Maybe I should add some anti sandbox and see what happens?

The gargoyle project is a bit confusing for me. A little above my knowledge of understanding.

I am also just testing with Mimikatz because I figure if I can get that past AVs then other malware should be easier.

 

[ilcrba]

What I might do is setup a function at the start of my stub to check if the current username is the username I am expecting. If it is, then continue execution. If it isn't then exit the program. That way when it is ran into a emulator it will just exit. If it doesn't get caught anymore then I would imagine it is from being ran in a emulator.

 

[ilcrba]

I added a few functions that should not allow execution to continue in a sandbox. I added a function to check the username which I hard coded it to my VM. I also added a function to check if certain file existed on desktop. It was able to run and was still caught by Kaspersky.

My guess is Kaspersky is just scanning the process memory and sees mimikatz either by recognizing hashes or strings. My next goal would be to try and compile mimikatz while removing the strings and see if I can modify enough of it to not be detected.

 

[ilcrba]

After further research it seems Mimikatz is hard to fully make undetectable. So with this I am going to pass. I am going to experiment with a few different things.

 

[Octavian]

Your sleep doesn't matter it will be skipped by avvm.
There are a couple of other methods to dump system credentials other then mimi.

 

[ilcrba]

Your sleep doesn't matter it will be skipped by avvm.
There are a couple of other methods to dump system credentials other then mimi.

Yeah I am mainly just trying to get something developed that will get everything to bypass Kaspersky. I am just using Mimikatz because it is so heavily detected. So if I can get mimikatz to work then I figure I can get anything to work.

Right now my stub checks if the current user is a specific user and then checks the desktop for a specific file I created. If both of them are not there then it will not execute. So if ran in a sandbox it shouldn't be ran, unless AV can skip those as well. My stub is still caught by kaspersky for behavior analysis. The only thing that I did was launch the stub which then launches mimikatz. And I never ran any of the mimikatz functions, it just sits at the prompt. So I am not sure how they are detecting it. My guess is checking the imports and noticing all the common imports of mimi as well as function names. or possibly scanning memory but not sure if that would be behavior analysis or not.

 

[Retail]

Mimikatz извлекает из себя библиотеки и дрова, они палятся, что бы это предотвратить - перепишите его и всё, добавьте пермутацию кода при рекомпиляции + встроенный полиморфик.

 

[ilcrba]

Mimikatz extracts libraries and firewood from itself, they are fired to prevent this - rewrite it and that's it, add code permutation during recompilation + built-in polymorphic.

I can create some code that will generate different stubs each time as well as adding junk functions and such. That is not a problem. From what it looks like is once Mimikatz is running then there is nothing I can do about it to help it not get detected. At the end of the day, Mimikatz is in memory somewhere and Kaspersky is going to find it. I was just hoping I can find a way to prevent kaspersky from finding it whether that be injecting it into a process that does not get scanned or modifying permissions to the memory that mimi is running in. But that seems to not be possible with this loadpe method.

stub.exe is going to execute, decrypt mimi, patch up the process and then resume execution at mimi entry point. at that point mimikatz code is running and i cannot control what it does. If I write my own mimikatz like tool then I can add logic to help defeat AVs. My main goal is just getting mimikatz to not be caught. I don't plan on using mimikatz or even using this at all. this is just a learning project for myself.

 

[ilcrba]

I actually did some more research and came across DLL Module Stomping. I found a nice PoC that I built and it was instantly caught. I made some edits to it and I have been able to keep Mimikatz running for over 24 hours without detection on Kaspersky.

 

[Retail]

Под касперского отдельно, обращайтесь

 

[ilcrba]

Have been busy. I tested a bunch of ideas against Kaspersky. I created my own version of the Gargoyle PoC in a much simpler way. It would work however if a memory scan happened at the same time the data was unencrypted it would be caught. The only options are to figure out how/why Kaspersky is picking this process/memory to scan and prevent it (hooks?, trust process?) or to somehow decrypt the code as it is being ran. So keeping like 95% of the executable code encrypted and only decrypt what is running would be ideal.

A old packer by the name of Armadillo did this but I can't find source or anything.

I found a few projects that do this by hooking Sleep.
Sleepycrypt, ekko, freeze, etc

All of them rely on a sleep time to switch between encrypted/decrypted. The issue is this puts the data at risk more than it should. So having a way to only have it decrypted while in use is the best way.